This month we have a packed Law Update focusing on a sector that is a vital pillar for the region as it continues to push its economies to diversify. Education.
The Education sector has experienced, and overcome, its fair share of challenges. Today, across the region, it serves as an educational hub for nationals, residents, and a growing number of inbound international students.
The advances being made in the Education Sector are a result of Government initiatives being put in place to propel the sector to a global standard. This has piqued private sector interest and we are seeing more public private and international partnerships.
With Education being vital to the progress the region is making, we have a created an edition of Law Update that provides insights, commentary, and updates on the most pertinent developments within the sector. The articles come from a number of jurisdictions across the region and highlight key considerations and the latest legal trends taking shape.Read the full edition
Amy Land-Pejoska - Associate - Digital & Data
Cybersecurity can be summarised as the use of technology, and other measures, to ensure the safety of data and computer systems from incidents, both accidental and deliberate, that might compromise their integrity. For businesses, cybersecurity is of increasing importance. Besides the operational impact of a cybersecurity incident, such incidents can result in legal liability, reputational damage and financial loss. The urgent need to counter cybersecurity threats has resulted in greater measures being adopted by legislators and regulators around the world, and the situation in Saudi Arabia is no different.
In 2018, Saudi Arabia’s National Cybersecurity Authority (‘NCA’) issued guidelines in the form of Essential Cybersecurity Controls (‘ECC’). In 2019, the local telecoms regulator, the Communication and Information Technology Commission (‘CITC’), proposed a cybersecurity framework, the Cybersecurity Regulatory Framework (‘CFR’) for the Information Communications and Technology Sector (‘draft CRF’), aimed primarily at the telecommunications industry.
This article outlines the NCA’s ECC, and the proposed CRF for the Information Communications and Technology Sector.
The ‘NCA Regulation’ (the Regulation of the National Cybersecurity Authority, approved by Royal Decree No. 6801 dated 11/2/1439H (31 October 2017)) sets out the key features and responsibilities of the NCA. These include:
In 2018, the NCA published the ECC the minimum cybersecurity requirements for Saudi government organisations (including ministries, authorities, establishments and others) and its companies and entities, as well as private sector organisations owning, operating or hosting critical national infrastructure. The NCA encourages all other organisations in Saudi Arabia to utilise the ECCs to improve their cybersecurity.
The ECCs consist of 114 cybersecurity controls, linked to national and international regulatory requirements, structured into five main domains, comprising:
The ECC’s governance requirements contemplate the development and implementation of a cybersecurity strategy that contributes to compliance with relevant laws and regulations. They set out the personnel, processes and other steps that organisations, that are subject to the ECCs, need to put in place to achieve effective cybersecurity.
Cybersecurity roles and responsibilities are to be set out clearly and kept up to date. Cybersecurity is to be managed with the support of an ‘organisation head’, delegated to oversee the organisation’s cybersecurity strategy. Cybersecurity policies and procedures are to be adopted, supported by technical security standards and kept up to date. A risk management process is to be documented and implemented at key risk points and reviewed as necessary.
Project and change management present a cybersecurity risk for organisations. The ECCs require the adoption of cybersecurity policies and procedures relating to these activities. Personnel can also represent a significant risk to cybersecurity. Protocols to ensure that these risks are managed must be in place. Examples include employee vetting and cybersecurity awareness and training.
Finally, the ECCs require organisations to have a system in place so that cybersecurity controls are reviewed and audited.
Organisations subject to the ECCs need to have physical security and other measures in place to protect their information and technology assets from various threats. As a preliminary step, an inventory of all IT assets should be kept. Only authorised personnel should access information as required to perform their roles and access to other information should be restricted. Unauthorised access should be prevented by having systems to log on and establish credentials.
Organisations are required to take measures to protect information systems against cyber risks. As well as protecting workstations, devices and careful handling of external storage media, the email service and external web applications need to be protected appropriately. Various minimum requirements to manage the security of an organisation’s network are mandated. The use of mobile devices and employees’ own devices pose their own additional cybersecurity risks, and the organisation must define and implement cybersecurity requirements including minimum controls as set out in the ECCs.
Data and information are to be classified and protected accordingly. Encryption is to be used in line with the organisation’s policies and relevant laws, and measures must be in place relating to back-up and recovery. This extends to measures to detect vulnerabilities and conduct penetration testing.
Cybersecurity events are to be logged and analysed, while systems to identify incidents and mitigate their effects must be in place.
Cybersecurity resilience aspects of the ECC’s main controls contemplate the incorporation of cybersecurity resiliency requirements into business continuity processes, thus minimising the impact of cybersecurity incidents on systems, data processing facilities and critical services.
In terms of third-party risks, the ECC’s main controls are focussed on issues relating to outsourcing and managed services, including the need to ensure that outsourcing and managed services follow organisational policies and procedures, as well as related laws and regulations.
With regard to cloud computing, the focus is on protecting cloud-hosted data and IT assets, as well as those processed or managed by third parties. For entities subject to the ECCs, the ECCs contemplate some degree of localisation, in that data hosting and storage sites need to be located in the Kingdom.
Entities subject to the ECCs are required to ensure that industrial control systems are managed appropriately to protect the confidentiality, integrity and availability of their assets against unauthorised access and destruction.
In May 2019, the CITC invited feedback on its draft Cybersecurity Regulatory Framework for the Information Communications and Technology Sector. The draft CRF sets out requirements to increase effectiveness in cybersecurity risk management in line with international best practices. The draft CRF would apply to all service providers licensed by the CITC (i.e. any person licensed by the CITC who either provides a telecommunications service to the public, operates a telecommunications network used by such person or by another person to provide a telecommunications service to the public, or both) their affiliates, staff, related third parties and customers.
The draft CRF contemplates CITC setting security targets by defining compliance levels pursuant to a risk based approach. Each level comprises a set of cybersecurity controls of varying complexity. Fulfilment of the preceding requirements will be necessary to achieve the next level of cybersecurity compliance. The draft CRF contemplates service providers being classified according to criticality in order to determine the applicable target compliance levels:
The essential responsibilities of licensed service providers include measures to be undertaken in the areas of governance, asset management, cybersecurity risk management, logical security, physical security and third party security.
Licensed service providers are required to:
Cybersecurity Risk Management:
Licensed service providers are required to prepare and enforce an appropriate cybersecurity risk assessment approach; and an appropriate approach to monitor and treat cybersecurity risk.
The draft CRF sets out obligations applicable to licensed service providers in developing software applications. These obligations include fulfilling the following requirements:
Licensed service providers will need to protect their information assets against physical damage and threats, manage physical access to facilities hosting such assets, address any environmental threats to such assets, and extend the same protection to such assets located outside their premises.
Third Party Security
The draft CRF proposes making it mandatory for licensed service providers to require third party cloud service providers and third party outsourced service providers to adopt the cybersecurity requirements stipulated by the CITC.
Pursuant to the draft CRF, the CITC will have the overall role of the regulator and will be empowered to monitor and enforce compliance of the stipulated requirements. For such purposes, it may undertake inspections of service provider facilities, carry out workshops for training and awareness, and undertake active and reactive audits. It will also be responsible for setting compliance targets and deadlines.
The draft CRF does not propose any penalties for licensed service providers who may be in violation of the stipulated requirements. Under its founding statute, the CITC is empowered to impose penalties for violations of the laws and regulations pertaining to the telecommunications sector, and we expect that this will provide the basis under which the CRF, if it comes into effect, will be enforced.
The public consultation process on the draft CRF was completed as of June 27, 2019. It is unclear when the finalised version of the draft CRF will become effective, or if any changes will be adopted in the interim. Industry participants are encouraged to watch this space.
Meanwhile, government agencies and critical national infrastructure operators will need to review their cybersecurity arrangements for compliance with the Essential Cybersecurity Controls.
Al Tamimi & Company’s Technology, Media & Telecommunication team regularly advises on regulatory issues concerning technology, telecommunications and cybersecurity in Saudi Arabia and the Middle East. For further information please contact Nick O’Connell (firstname.lastname@example.org), Amy Land Pejoska (email@example.com) or Zil Ur Rehman (firstname.lastname@example.org).